Sources of Data in a Digital Forensic Investigation

INTRODUCTION

Digital investigators face an array of sources and data that they can and need to acquire to get the correct information during an investigation. From data on a computer, hard drive, laptop, network logs, mobile devices, and social networking sites, this information can amount to a mountain of data. There are many challenges that lead up to acquiring this data. Even the terminology of “mobile devices” is challenging because now in 2013, this can be a multitude of devices; cell phones, PDA’s, audio players, tablets, and more. These devices also carry information about social networking sites inside the device or logs onto a site to go and get information about a person.

In the information age this information is vast and the data is piled as high as it can possible be. Investigators also have to search more thoroughly for data because criminals know how to hide the data.

PRIVACY CHALLENGES

A challenge that occurs is the fact of the 4th amendment and the ability to search and seize a persons property. Just as if there is a Legal and Illegal Physical there is the same when it comes to a digital search. The 4th amendment was created because of the General warrants that the King of England granted to the soldiers and gave officials permits to enter a home and search for evidence at will. Now in order to do a search, the power lies in the hand of a judge and there has to be legitimate evidence and reason to enter. When the police enter a home they can search and seize property that is out in the open and written in the warrant.

The basic rules for looking through a computer start with the Data Acquisition phase and the data reduction phase. The first phase is making a digital image of the entire hard drive and then sorting out the type of information or data that needs to be searched. The one issue with this in dealing with the 4th amendment is that when an investigator looks in a house, they do not look at the whole house or take the house with them. In the warrant, a specific type of information is searched and the rest should be left alone. This is a potential way that a law can be created to limit the ability of making a bit stream or image of the hard drive. Questions also arise about what exactly is considered a search or when does the search actually occur.

NETWORK LOGS

Network logs are one way that a digital investigator can gather information against an attacker. When a hacker or cracker decides that he/she will attack a network, the first thing that they will do is probe a network. Probing is more of the attackers reconnaissance. What this does is it gives the attacker a clear image of the network set-up and system. The attacker will probe around this network, even looking at or changing the MAC configurations and come up with a plan to attack the network or to do what was originally planned. In the target system, when successful in getting in, they can exploit the system configuration (Yasinsac, 2001) to get past the systems security.

After this they will penetrate the system by changing logs and changing privileges by breaking into root accounts. Through this they are able to install trojanized utilities, record passwords, delete files and much more. They can then try to hide this attack in the system logs by clearing them of hiding files. These log files are the best way for a digital investigator to discover an attack and the person(s) that did it. Every time there is an intrusion attackers leave behind something.

Network logs are very useful to detect Network Intrusion. When an attacker breaks into the network they will leave information and footprints that will give an investigator the ability to detect this event. The network could also be equipped with a IDS (intrusion detection system) that could send alerts to the security office as soon as an intrusion is attempted. Logs will be able to give information like the originating IP Address with time and date stamps.

Malware installation can be detected by network logs because it will give the time and origin that the information was downloaded. Malware comes in different forms, so if a Trojan Horse would probably be difficult to detect the origin. But if there is an internal investigation of a virus, the log will be able to tell when a certain employee logged in and out of the workstation. Also there is information on programs that have been executed.

Network Logs will also be able to detect Insider File deletion. Seeing logs of the actions of an employee, logging in every key stroke will be able to tell what the person did. Logs can also be compared against a backup log that will have the ability to tell which files were deleted.

CHALLENGES

One challenging aspect that an investigator has to deal with is the deleted files themselves. He would have to ask himself: “What files were deleted if any?” and “How to recover the deleted files along with the system logs”. This type of investigation is difficult to do because the investigators must be diverse and very keen on finding this information. They do this also by gathering different amounts of evidence from different places. There are different places to find these files in application files, caches and backups.

The organization also needs to keep records of the activity logs from the beginning. This needs to be a policy. An individual logging in and out of their computer and records of phone calls are event logs. They need to come up with a pattern and a timeline of the logs. Accessing Network services like FTP sessions or Telnet is a way to obtain information. Also, if it is an insider attack then monitoring the logs of email and web access is another way of obtaining information.

Companies also have a duty to protect an employee’s privacy when the employee thinks it should be protected. There is a statement of a “Reasonable Expectation of Privacy” and if this is true then the employee’s activities will not be admissible in court. Challenges like this give companies a road block when trying to prosecute. There is also a situation when an employee has no expectation of privacy and this would hold up in court.

COMPUTER HARD DRIVE

Computer hard drives in a computer forensic investigation are one of the first places that a digital investigator will look in the beginning of an investigation. Computer hard drives are the usually the main focus on any investigation.

The first issue when investigating and gathering a hard drive is to make sure that no data will be changed on the computer. If possible it is best to have the computer on and get a live image of the RAM this way volatile memory will be documented. If that image is not able to be created then an image of the hard drive can also be created.

Chain of custody is a challenging aspect of the collection of a hard drive. Chain of custody refers to “documentation that identifies all changes in the control, handling, possession, ownership, or custody of a piece of evidence”(Oppenheimer, 2013). This is very important because if the case goes to court, the judge needs to know where the evidence has been and the date and time of the evidence. The correct people must be accountable for the evidence at all times in case there is question about any changes. Also the integrity of the information cannot be compromised.

There are many different ways of getting forensic information from a computer. One way to begin is to use a computer Spy Software. One of these types of software is called Spytech Net Vizor, these tract and monitor all activities performed in a network. IE: “including screenshots, keystrokes typed, program and internet usage, emails and chats, file/document usage, and much more. ”(Spytech, 2013). This will track all information in your network, report behaviors and theft. This tool will have more of an Initial Investigative Push from the inside that an investigator could use if available.

One of the best tools to use is EnCase Forensics. This is used by many digital investigations and it can analyze different Operating Systems. Deleted files can be seen and with a strong script engine GUI this product is powerful. In regards to network intrusion, this is not a good tool to use. A diagnosis of the hard drive will be able to tell all the information that was typed on the computer but not necessarily on the network.

Malware installation can be detected on a computer hard drive. Depending on what kind of investigation we are doing then this would be a good source for this information.

Insider file deletion can be detected on a computer hard drive and it is the best source for it. In an investigation and concentrating on an employee, this data can be used to tell what a particular employee did especially if all the keystrokes are recorded.

CHALLENGES

For computers this is a similar issue but with different operations. Computers now have a new kind of search: searching of data that is on a hard drive or any other storage device (Kerr, 2005). This also takes away the practice of “tossing” a home looking for evidence and flipping mattresses. This type of search is more of a “copy, scan, and copy”(Kerr, 2005). This information is taken by a computer forensic team and it could take days to months to analyze the evidence. Using different types of software and techniques create a different kind of investigation that a regular police investigator may not be used to. This presents a challenge in policy and timing of “cracking” a case.

For example, in a murder case, investigators say that they need to find a suspect within 48 hours in order to have the best chance of solving the crime. Well in computer forensics, it will take longer to gather all the evidence, but the data will be there longer than 48 hours and will provide more investigative information than walking door to door.

Computer hard drives also come in different forms as opposed to a home. Warrants for a home may say that an investigator can only gather evidence that pertains to the subject at hand, for example, drugs. But if they find child pornography, this will not be admissible in court. Well with hard drives this can be the same scenario. Files on a computer are more like giant rooms of information. Files have folders, sub folders, clusters and many other different files and filing systems. The question does come up though of what does it mean to conduct a search on a computer. This starts with a copy or an image of the device and that information is brought to the investigators office computer and the search is performed there.

Destruction of information is also an issue. In a home, individuals could burn or destroy a physical device, but on a computer hard drive, deleted files can be recovered. Files are not deleted when marked as deleted; they are only allocated by the Master File to be available space to be written over when required.

Searches are also done physically by trained physical teams of police officers looking from room to room even having a dog to sniff out drugs or weapon. But after the search of the room is complete then they are done and on to the next room. But the police have a specific amount of time that they have to complete a search.

Computer hard drives are different, first the image of the hard drive is at the investigators lab and the amount of time that an investigator can spend is dependent upon the investigator and the importance of the case. They can also search and locate specific files by using the software or search terms.

But it is not always this straight forward and files can be hidden or encrypted. This means that the analysis needs to break or guess the encrypted code and if they cannot do that then they will not have any evidence. There are ways to find the key because sometimes they are located on the hard drive. Also there are challenges to collecting data because criminals are always a step ahead of the forensic investigators, data can be hidden in other files remotely and a laptop at the home may just be nothing.

SMARTPHONES

Data that can be taken from a smartphone can be SMS, MMS, call logs, emails, webpage bookmarks, photo’s, videos, and calendar notes. There are 2 ways to obtaining evidence from iPhones and Android phones. These are a Physical and Logical method. Physically with an iPhone a person has to jailbreak the OS and this changes slightly the data on the phone.

iPhones can be forensically examined by first using iTunes to create a backup copy and an image of the phone. When the phone is connected the automatic synchronization has to be disabled because the integrity of the data needs to be maintained. A folder will be created in this iPhone image with a hash value for the iPhone with the backup file. These files include “three plist files, one mbdb file, and one mbdx file”. These files had to be decoded using the correct software: two types of software that can be used are SQLite Database browser and Plist Editor for Windows. The type of data that can be read are, including sent and received SMS, calendar events, call history, and address book entries and Facebook/Twitter account information.

In the usefulness of Network Intrusion, Malware Installation and Insider File Deletion, Smart phones will be useful for corroborative evidence. Information in the phone like the logs and text of what the person did will be helpful to determine the person’s actions and a timeline of what occurred.

CHALLENGES

There are many challenges of analyzing a smartphone. Smart phones are used for a large part of social networking and Finn stated that “ 43% of smartphone users use them to communicate with people on social networking sites (Finn, 2012). Smart phones examination is difficult because they are always updating the data, apps and the system. This will cause for precious evidence to be lost. In iPhones, the operating systems are closed systems and the only way for them to be open is to jailbreak them. Other operating systems are closed systems also like the Android OS. One system that is not open is the Linux-based smartphones, but not many users have a smartphone like that. Also with the OS of these smartphones, the companies update the OS frequently and it makes it hard for digital investigators to keep up with the examination methods and tools they need to examine each release. (Mutawa, 2012).

SOCIAL NETWORKING SITES

In the last few years, Social Networking sites have become most popular in online and overall communication between people. These sites include Twitter, Myspace, Instagram and Facebook being the most popular. “A study estimated that the number of unique users of online social networks worldwide was about 830 million at the end of 2009” (Mutawa, 2012). This avenue of communications gives an infinite number of cyber criminals an opportunity to commit cyber crimes. When this happens there is always some kind of footprint left behind and a way for a digital investigator to find out who the culprit is. Cyber criminals also are aware about leaving digital footprints and do their best to cover this up. These are challenges that the Digital Forensic Investigators have to deal with but the majority of these people leave a lot of electronic evidence that is not hard to acquire when there is access to a laptop or computer.

The data that is left on the social networking websites can be traced and recorded in different ways. On iPhones, Facebook stores a database for each friend in the friends list that has their ID numbers, names and phone number (Bader and Baggili, 2010). There is also a directory in the phone with Twitter information that stores the account information, usernames, attachments that were sent with the tweets along with date and time stamps. Data from one of these sites can also be taken from the site itself. An investigator may have a warrant that can give them the authority to get data from the activity of a user.

In checking on a smartphone the type of information that can be used for a forensic investigator taken from an iPhone was not much. In an experiment by Mutawa the phones contained three files pertaining to Facebook, and the first file showed Facebook friend data with ID’s, names and URL’s (Mutawa, 2012). The second file had the users photos, comments, username, ID and activity logs. The third file had information on the iPhone in a plist file. It has information on user ID, last email used to log in, and the URL with profile picture. This file also showed all other users that may have logged into the Facebook using the app. It also showed friends that had an active chat with a timestamp. This shows how some social networking sites can be used as a source of data for a digital investigator.

CHALLENGES

The challenging aspects can start from the actual acquiring of the information. We discussed about the 4th amendments and getting warrants, well if this information is private then a law enforcement officer would have to have evidence and reason to go to a place like Facebook and request information. Also the Law Enforcement agency would need to have the proper software and equipment to gather the information. After gathering the info, the proper way to analyze the info is needed too. This would mean that a qualified investigator would be needed, but after this is acquired the information to be analyzed would be efficient for data.

CONCLUSION

Different sources of data can provide a vast amount of information for a digital investigator. We have looked through sources such as network logs, computer hard drives, social media sites and smart phones. These different sources have different ways of providing information for an investigator and it could be very surprising for a criminal to even know that this information is available. Recently, the former New England Patriot football player, Aaron Hernandez, physically broke his phone to cover up information of his crime (Wilson, 2013), but he failed to realize that this information is still on his phone and on different surfaces and in recoverable formats.

We also discussed the challenges in collecting this information that goes even beyond the physical collection. Locating the information, proper software, and legal issues were some issues in dealing with the collection and processing of the data.

Collection of digital evidence can be very exciting and challenging in the process. We are living in the information age of where technology is part of our everyday lives. Our devices hold the information in which crimes are committed with or around and the investigation and analysis of this data is prevalent and will only continue to grow.